The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Any individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government, governmental subdivision, governmental agency, governmental instrumentality, public corporation, or any other legal or commercial entity that owns or licenses personal information of residents of Missouri or conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri.
Consumer Notification: Covered entities shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach.
Regulatory Notification: In the event that a covered entity provides notice to more than one thousand (1,000) consumers at one time pursuant to this section, the covered entity shall notify, without unreasonable delay, the attorney general's of the timing, distribution, and content of the notice.
Notification Timeline: Notice must be made without unreasonable delay.
Data Format: Computerized data.
Citations: Mo. Ann. Stat. § 407.1500.
- Breach: The unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.
- Personal Information (PI): An individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:
- Social Security number;
- Driver's license number or other unique identification number created or collected by a government body;
- Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- Medical information; or
- Health insurance information.
- Medical Information: Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
- Health Insurance Information: An individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual.
- Encryption: Does not apply to personal information that is encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable.
- Good Faith: Good faith acquisition of personal information by a covered entity or that covered entity’s employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information.
- Risk of Harm: Notification is not required if, after an appropriate investigation by the covered entity or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the covered entity determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five (5) years.
- Law Enforcement Delay: Notice may be delayed if a law enforcement agency informs the covered entity that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request by law enforcement is made in writing or the covered entity documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer's law enforcement agency engaged in the investigation. Notice shall be provided without unreasonable delay after the law enforcement agency communicates to the covered entity its determination that notice will no longer impede the investigation or jeopardize national or homeland security.
- Timing: Notice shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
- Format: N/A
- Content: The notice shall at minimum include a description of the following:
- The incident in general terms;
- The type of personal information that was obtained as a result of the breach of security;
- A telephone number that the affected consumer may call for further information and assistance, if one exists;
- Contact information for consumer reporting agencies;
- Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
- Method: Notice to affected consumers shall be provided by one of the following methods:
- Written notice;
- Electronic notice for those consumers for whom the covered entity has a valid email address and who have agreed to receive communications electronically, if the notice provided is consistent with the provisions of 15 U.S.C. Section 7001 regarding electronic records and signatures for notices legally required to be in writing;
- Telephonic notice, if such contact is made directly with the affected consumers; or
- Substitute notice.
Substitute notice may be given if:
- The covered entity demonstrates that the cost of providing notice would exceed one hundred thousand dollars ($100,000); or
- The class of affected consumers to be notified exceeds one hundred fifty thousand (150,000); or
- The covered entity does not have sufficient contact information or consent to satisfy paragraphs (a), (b), or (c) of this subdivision, for only those affected consumers without sufficient contact information or consent; or
- The covered entity is unable to identify particular affected consumers, for only those unidentifiable consumers.
- Substitute notice shall consist of all the following:
- Email notice when the covered entity has an electronic mail address for the affected consumer;
- Conspicuous posting of the notice or a link to the notice on the internet website of the covered entity if the covered entity maintains an internet website; and
- Notification to major statewide media.
In the event that a covered entity provides notice to more than one thousand (1,000) consumers at one time pursuant to this section, the covered entity shall notify, without unreasonable delay, the attorney general of the timing, distribution, and content of the notice.
Credit Reporting Agencies Notice:
In the event that a covered entity provides notice to more than one thousand (1,000) consumers at one time pursuant to this section, the covered entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the timing, distribution, and content of the notice.
Any entity that maintains or possesses records or data containing personal information of residents of Missouri that the entity does not own or license, or any entity that conducts business in Missouri that maintains or possesses records or data containing personal information of a resident of Missouri that the entity does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in this section.